draft-ietf-anima-constrained-voucher-07.txt   draft-ietf-anima-constrained-voucher-08.txt 
anima Working Group M. Richardson anima Working Group M. Richardson
Internet-Draft Sandelman Software Works Internet-Draft Sandelman Software Works
Intended status: Standards Track P. van der Stok Intended status: Standards Track P. van der Stok
Expires: July 18, 2020 vanderstok consultancy Expires: January 14, 2021 vanderstok consultancy
P. Kampanakis P. Kampanakis
Cisco Systems Cisco Systems
January 15, 2020 July 13, 2020
Constrained Voucher Artifacts for Bootstrapping Protocols Constrained Voucher Artifacts for Bootstrapping Protocols
draft-ietf-anima-constrained-voucher-07 draft-ietf-anima-constrained-voucher-08
Abstract Abstract
This document defines a strategy to securely assign a pledge to an This document defines a strategy to securely assign a pledge to an
owner, using an artifact signed, directly or indirectly, by the owner, using an artifact signed, directly or indirectly, by the
pledge's manufacturer. This artifact is known as a "voucher". pledge's manufacturer. This artifact is known as a "voucher".
This document builds upon the work in [RFC8366], encoding the This document builds upon the work in [RFC8366], encoding the
resulting artifact in CBOR. Use with two signature technologies are resulting artifact in CBOR. Use with two signature technologies are
described. described.
skipping to change at page 1, line 42 skipping to change at page 1, line 42
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 18, 2020. This Internet-Draft will expire on January 14, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 9 skipping to change at page 3, line 9
9.6.1. application/voucher-cms+cbor . . . . . . . . . . . . 21 9.6.1. application/voucher-cms+cbor . . . . . . . . . . . . 21
9.6.2. application/voucher-cose+cbor . . . . . . . . . . . . 22 9.6.2. application/voucher-cose+cbor . . . . . . . . . . . . 22
9.7. CoAP Content-Format Registry . . . . . . . . . . . . . . 23 9.7. CoAP Content-Format Registry . . . . . . . . . . . . . . 23
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 23 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 23
11. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . 24 11. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . 24
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 24 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 24
12.1. Normative References . . . . . . . . . . . . . . . . . . 24 12.1. Normative References . . . . . . . . . . . . . . . . . . 24
12.2. Informative References . . . . . . . . . . . . . . . . . 26 12.2. Informative References . . . . . . . . . . . . . . . . . 26
Appendix A. EST messages to EST-coaps . . . . . . . . . . . . . 26 Appendix A. EST messages to EST-coaps . . . . . . . . . . . . . 26
A.1. enrollstatus . . . . . . . . . . . . . . . . . . . . . . 26 A.1. enrollstatus . . . . . . . . . . . . . . . . . . . . . . 26
A.2. voucher_status . . . . . . . . . . . . . . . . . . . . . 27 A.2. voucher_status . . . . . . . . . . . . . . . . . . . . . 28
A.3. requestvoucher . . . . . . . . . . . . . . . . . . . . . 28 A.3. requestvoucher . . . . . . . . . . . . . . . . . . . . . 28
A.3.1. signed requestvoucher . . . . . . . . . . . . . . . . 28 A.3.1. signed requestvoucher . . . . . . . . . . . . . . . . 28
A.4. requestauditing . . . . . . . . . . . . . . . . . . . . . 29 A.4. requestauditing . . . . . . . . . . . . . . . . . . . . . 30
Appendix B. Signed voucher-request examples . . . . . . . . . . 30 Appendix B. Signed voucher-request examples . . . . . . . . . . 31
B.1. CMS signed voucher-request example . . . . . . . . . . . 30 B.1. CMS signed voucher-request example . . . . . . . . . . . 31
Appendix C. COSE examples . . . . . . . . . . . . . . . . . . . 33 Appendix C. COSE examples . . . . . . . . . . . . . . . . . . . 34
C.1. Device, Registrar and MASA keys . . . . . . . . . . . . . 33 C.1. Device, Registrar and MASA keys . . . . . . . . . . . . . 34
C.1.1. Device IDevID certificate . . . . . . . . . . . . . . 33 C.1.1. Device IDevID certificate . . . . . . . . . . . . . . 34
C.1.2. Device private key . . . . . . . . . . . . . . . . . 34 C.1.2. Device private key . . . . . . . . . . . . . . . . . 35
C.1.3. Registrar Certificate . . . . . . . . . . . . . . . . 35 C.1.3. Registrar Certificate . . . . . . . . . . . . . . . . 36
C.1.4. Registrar private key . . . . . . . . . . . . . . . . 35 C.1.4. Registrar private key . . . . . . . . . . . . . . . . 36
C.1.5. MASA Certificate . . . . . . . . . . . . . . . . . . 35 C.1.5. MASA Certificate . . . . . . . . . . . . . . . . . . 36
C.1.6. MASA private key . . . . . . . . . . . . . . . . . . 35 C.1.6. MASA private key . . . . . . . . . . . . . . . . . . 36
C.2. COSE signed requestvoucher with registrar certificate C.2. COSE signed requestvoucher with registrar certificate
pinned . . . . . . . . . . . . . . . . . . . . . . . . . 36 pinned . . . . . . . . . . . . . . . . . . . . . . . . . 37
C.3. COSE signed parboiled requestvoucher . . . . . . . . . . 36 C.3. COSE signed parboiled requestvoucher . . . . . . . . . . 37
C.4. COSE signed voucher . . . . . . . . . . . . . . . . . . . 37 C.4. COSE signed voucher . . . . . . . . . . . . . . . . . . . 38
C.5. COSE signed request voucher . . . . . . . . . . . . . . . 39 C.5. COSE signed request voucher . . . . . . . . . . . . . . . 40
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 40
1. Introduction 1. Introduction
Enrollment of new nodes into constrained networks with constrained Enrollment of new nodes into constrained networks with constrained
nodes present unique challenges. nodes present unique challenges.
There are bandwidth and code space issues to contend. A solution There are bandwidth and code space issues to contend. A solution
such as [I-D.ietf-anima-bootstrapping-keyinfra] may be too large in such as [I-D.ietf-anima-bootstrapping-keyinfra] may be too large in
terms of code space or bandwidth required. terms of code space or bandwidth required.
This document defines a constrained version of [RFC8366]. Rather This document defines a constrained version of [RFC8366]. Rather
than serializing the YANG definition in JSON, it is serialized into than serializing the YANG definition in JSON, it is serialized into
CBOR ([RFC7049]). CBOR ([RFC7049]).
This document follows a similar, but not identical structure as This document follows a similar, but not identical structure as
[RFC8366]. Some sections are left out entirely. Additional sections [RFC8366]. Some sections are left out entirely.
have been added concerning:
There are three constrained situations described in this document: 1.
CMS signed CBOR encoded vouchers transported using CoAP, protected by
DTLS (coaps). 2. COSE signed CBOR encoded vouchers transported using
CoAP, protected by EDHOC. 3. COSE signed CBOR encoded vouchers,
integrated into the key exchange as described by
[I-D.selander-ace-ake-authz]
Additional sections have been added concerning:
1. Addition of voucher-request specification as defined in 1. Addition of voucher-request specification as defined in
[I-D.ietf-anima-bootstrapping-keyinfra], [I-D.ietf-anima-bootstrapping-keyinfra],
2. Addition to [I-D.ietf-ace-coap-est] of voucher transport requests 2. Addition to [I-D.ietf-ace-coap-est] of voucher transport requests
over CoAP. over CoAP.
The CBOR definitions for this constrained voucher format are defined The CBOR definitions for this constrained voucher format are defined
using the mechanism describe in [I-D.ietf-core-yang-cbor] using the using the mechanism describe in [I-D.ietf-core-yang-cbor] using the
SID mechanism explained in [I-D.ietf-core-sid]. As the tooling to SID mechanism explained in [I-D.ietf-core-sid]. As the tooling to
skipping to change at page 4, line 30 skipping to change at page 4, line 37
The following terms are defined in [RFC8366], and are used The following terms are defined in [RFC8366], and are used
identically as in that document: artifact, imprint, domain, Join identically as in that document: artifact, imprint, domain, Join
Registrar/Coordinator (JRC), Manufacturer Authorized Signing Registrar/Coordinator (JRC), Manufacturer Authorized Signing
Authority (MASA), pledge, Trust of First Use (TOFU), and Voucher. Authority (MASA), pledge, Trust of First Use (TOFU), and Voucher.
3. Requirements Language 3. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in
14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
4. Survey of Voucher Types 4. Survey of Voucher Types
[RFC8366] provides for vouchers that assert proximity, that [RFC8366] provides for vouchers that assert proximity, that
authenticate the registrar and that include different amounts of authenticate the registrar and that include different amounts of
anti-replay protection. anti-replay protection.
This document does not make any extensions to the types of vouchers. This document does not make any extensions to the types of vouchers.
skipping to change at page 5, line 20 skipping to change at page 5, line 26
This document defines both CMS-signed voucher requests and responses, This document defines both CMS-signed voucher requests and responses,
and COSE signed voucher requests and responses. The use of CMS and COSE signed voucher requests and responses. The use of CMS
signatures implies the use of PKIX format certificates. The pinned- signatures implies the use of PKIX format certificates. The pinned-
domain-cert present in such a voucher, is the certificate of the domain-cert present in such a voucher, is the certificate of the
Registrar. Registrar.
The constrained voucher and constrained voucher request MUST be The constrained voucher and constrained voucher request MUST be
signed. signed.
The use of the two signing formats permit the use of both PKIX format The use of the two signing formats permit the use of both PKIX format
certificates, and raw public keys (RPK). When RPKs are used, the certificates, and raw public keys (RPK).
voucher produced by the MASA pins the raw public key of the
Registrar: the pinned-domain-subject-public-key-info in such a When RPKs are used, the voucher produced by the MASA pins the raw
voucher, is the raw public key of the Registrar. This is described public key of the Registrar: the pinned-domain-subject-public-key-
in the YANG definition for the constrained voucher. info in such a voucher, is the raw public key of the Registrar. This
is described in the YANG definition for the constrained voucher.
5. Discovery and URI 5. Discovery and URI
This section describes the BRSKI extensions to EST-coaps This section describes the BRSKI extensions to EST-coaps
[I-D.ietf-ace-coap-est] to transport the voucher between registrar, [I-D.ietf-ace-coap-est] to transport the voucher between registrar,
proxy and pledge over CoAP. The extensions are targeted to low- proxy and pledge over CoAP. The extensions are targeted to low-
resource networks with small packets. Saving header space is resource networks with small packets. Saving header space is
important and the EST-coaps URI is shorter than the EST URI. important and the EST-coaps URI is shorter than the EST URI.
The presence and location of (path to) the management data are The presence and location of (path to) the management data are
skipping to change at page 21, line 26 skipping to change at page 21, line 26
9.4. The RFC SID range assignment sub-registry 9.4. The RFC SID range assignment sub-registry
------------ ------ --------------------------- ------------ ------------ ------ --------------------------- ------------
Entry-point | Size | Module name | RFC Number Entry-point | Size | Module name | RFC Number
------------ ------ --------------------------- ------------ ------------ ------ --------------------------- ------------
2450 50 ietf-constrained-voucher [ThisRFC] 2450 50 ietf-constrained-voucher [ThisRFC]
2500 50 ietf-constrained-voucher [ThisRFC} 2500 50 ietf-constrained-voucher [ThisRFC}
-request -request
----------- ------ --------------------------- ------------ ----------- ------ --------------------------- ------------
Warning: These SID values are defined in [I-D.ietf-core-sid]. Warning: These SID values are defined in [I-D.ietf-core-sid], not as
an Early Allocation.
9.5. The SMI Security for S/MIME CMS Content Type Registry 9.5. The SMI Security for S/MIME CMS Content Type Registry
This document registers an OID in the "SMI Security for S/MIME CMS This document registers an OID in the "SMI Security for S/MIME CMS
Content Type" registry (1.2.840.113549.1.9.16.1), with the value: Content Type" registry (1.2.840.113549.1.9.16.1), with the value:
Decimal Description References Decimal Description References
------- -------------------------------------- ---------- ------- -------------------------------------- ----------
46 id-ct-animaCBORVoucher [ThisRFC] 46 id-ct-animaCBORVoucher [ThisRFC]
skipping to change at page 24, line 43 skipping to change at page 24, line 43
[I-D.ietf-ace-coap-est] [I-D.ietf-ace-coap-est]
Stok, P., Kampanakis, P., Richardson, M., and S. Raza, Stok, P., Kampanakis, P., Richardson, M., and S. Raza,
"EST over secure CoAP (EST-coaps)", draft-ietf-ace-coap- "EST over secure CoAP (EST-coaps)", draft-ietf-ace-coap-
est-18 (work in progress), January 2020. est-18 (work in progress), January 2020.
[I-D.ietf-anima-bootstrapping-keyinfra] [I-D.ietf-anima-bootstrapping-keyinfra]
Pritikin, M., Richardson, M., Eckert, T., Behringer, M., Pritikin, M., Richardson, M., Eckert, T., Behringer, M.,
and K. Watsen, "Bootstrapping Remote Secure Key and K. Watsen, "Bootstrapping Remote Secure Key
Infrastructures (BRSKI)", draft-ietf-anima-bootstrapping- Infrastructures (BRSKI)", draft-ietf-anima-bootstrapping-
keyinfra-34 (work in progress), January 2020. keyinfra-41 (work in progress), April 2020.
[I-D.ietf-core-sid] [I-D.ietf-core-sid]
Veillette, M., Pelov, A., and I. Petrov, "YANG Schema Item Veillette, M., Pelov, A., and I. Petrov, "YANG Schema Item
iDentifier (SID)", draft-ietf-core-sid-08 (work in iDentifier (YANG SID)", draft-ietf-core-sid-14 (work in
progress), January 2020. progress), July 2020.
[I-D.ietf-core-yang-cbor] [I-D.ietf-core-yang-cbor]
Veillette, M., Petrov, I., and A. Pelov, "CBOR Encoding of Veillette, M., Petrov, I., and A. Pelov, "CBOR Encoding of
Data Modeled with YANG", draft-ietf-core-yang-cbor-11 Data Modeled with YANG", draft-ietf-core-yang-cbor-13
(work in progress), September 2019. (work in progress), July 2020.
[I-D.selander-ace-ake-authz]
Selander, G., Mattsson, J., Vucinic, M., Richardson, M.,
and A. Schellenbaum, "Lightweight Authorization for
Authenticated Key Exchange.", draft-selander-ace-ake-
authz-01 (work in progress), March 2020.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
 End of changes. 14 change blocks. 
36 lines changed or deleted 51 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/